Pattern 4 : PIX Traffic | LogRhythm Documentation

Classification

Rule Name	Rule Type	Common Event	Classification
PIX-X-107001 : RIP Auth Failed	Sub Rule	Authentication Failure Activity	Authentication Failure
PIX-X-713145 : Det Client in Net Extension Mode	Sub Rule	VPN Session Information	Information
PIX-X-305007 : Orphan IP Address	Sub Rule	Orphan IP on Interface	Information
PIX-X-609002 : Teardown Localhost Interface	Sub Rule	Connection Teardown	Network Traffic
PIX-X-201006 : RCMD Backconnection Failed	Sub Rule	RCMD Backconnection Failed	Error
PIX-X-212004 : Unable to Send SNMP Response	Sub Rule	Unable to Send an SNMP Response	Error
PIX-X-304004 : URL Server Request Failed	Sub Rule	URL Server Request Failed	Error
PIX-X-304003 : URL Server Timed Out	Sub Rule	URL Server Request Failed	Error
PIX-X-304005 : URL Server Request Pending	Sub Rule	URL Server Request Pending	Information
PIX-X-201005 : FTP Data Connection Failed	Sub Rule	FTP Data Connection Failed	Error
PIX-X-304007 : URL Server Not Responding	Sub Rule	URL Server Not Responding	Error
PIX-X-304006 : URL Server Not Responding	Sub Rule	URL Server Not Responding	Error
PIX-X-606003 : PDM Logging Session Started	Sub Rule	Process/Service Started	Startup and Shutdown
No Matching Record for ICMP Error Message	Sub Rule	No Matching Connection for ICMP Error Message	Warning
ASA-4-313005 : ICMP Error Message	Sub Rule	No Matching Connection for ICMP Error Message	Warning
PIX-X-210006 : LU Look NAT	Sub Rule	Statefull Failover	Warning
PIX-X-718002 : Create Peer Failed	Sub Rule	Tunnel Creation Failure	Error
PIX-X-713226 : Connection Failed	Sub Rule	Tunnel Creation Failure	Error
PIX-X-213002 : PPTP Tunnel Hashtable Insert Failed	Sub Rule	Tunnel Creation Failure	Error
PIX-X-409002 : External LSA Netmask	Sub Rule	Peer Forwarding Stopped - VLAN Not Found	Error
PIX-X-319002 : Acknowledge for Route Update Not Rx	Sub Rule	Acknowledge for Route Update Not Received	Warning
PIX-X-319003 : ARP Update Failed	Sub Rule	ARP Update Failed	Warning
PIX-X-319001 : Acknowledge for ARP Update Not Rx	Sub Rule	Acknowledge for ARP Update Not Received	Warning
PIX-X-319004 : Route Update Failed	Sub Rule	Route Update Failed	Warning
PIX-X-109017 : User Exceeded Proxy Limit	Sub Rule	Proxy Limit Exceeded	Warning
PIX-X-201009 : TCP Connection Limit Exceeded	Sub Rule	TCP Connection Limit Exceeded	Warning
PIX-X-201002 : Too Many TCP Connections	Sub Rule	TCP Connection Limit Exceeded	Warning
PIX-X-201004 : Too Many UDP Connections	Sub Rule	UDP Connection Limit Exceeded	Warning
PIX-X-315005 : SSH Session Limit Exceeded	Sub Rule	SSH Session Limit Exceeded	Warning
PIX-X-317002 : Bad Path Index	Sub Rule	Bad Path Index	Error
PIX-X-713147 : Terminating Tunnel	Sub Rule	Terminating Tunnel	Information
PIX-X-713135 : Tunnel Redirected	Sub Rule	Tunnel Redirected	Information
PIX-X-324006 : Tunnel Limit Exceeded	Sub Rule	Tunnel Limit Exceeded	Warning
PIX-X-309004 : Manager Session Limit Exceeded	Sub Rule	Telnet Session Limit Exceeded	Warning
PIX-X-307004 : Telnet Session Limit Exceeded	Sub Rule	Telnet Session Limit Exceeded	Warning
PIX-X-312001 : RIP Header Failed	Sub Rule	RIP Header Failed	Information
PIX-X-409001 : Database Scanner Is Lost	Sub Rule	Unexpected Condition	Information
PIX-X-409004 : Received Request from Unknown Host	Sub Rule	Request Packet Received from Unknown Host	Network Traffic
PIX-X-409012 : Det Router With Duplicate Router ID	Sub Rule	General Hello Packet Warning	Warning
PIX-X-604101 : DHCP Client Allocated IP	Sub Rule	DHCP Client Address Allocated	Information
PIX-X-606002 : PDM Session Ended	Sub Rule	Session Ended	Other Audit Success
PIX-X-609001 : Built Localhost Interface	Sub Rule	Built Localhost Interface	Network Traffic
PIX-X-718003 : Got Unknown Peer Message	Sub Rule	General Load Balancing Message	Information
PIX-X-611315 : Disconn from Load Balancing Cluster	Sub Rule	General Load Balancing Message	Information
PIX-X-613001 : Checksum Failure in DB	Sub Rule	Checksum Warning	Warning
PIX-X-613003 : Netmask Changed	Sub Rule	Netmask Changed	Information
PIX-X-713004 : Device Scheduled for Reboot	Sub Rule	Device Scheduled for Reboot	Warning
PIX-X-713006 : Failed to Obtain State	Sub Rule	Failed to Obtain State	Warning
PIX-X-713122 : Keepallives Configured But Not on PE	Sub Rule	Keep-Alive Configuration Warning	Warning
PIX-X-713128 : Connection Attempt Redirected	Sub Rule	Connection Attempt Re-directed	Warning
PIX-X-713212 : Could Not Add Route	Sub Rule	Route Creation Failed	Warning
PIX-X-713205 : Could Not Add Route	Sub Rule	Route Creation Failed	Warning
PIX-X-713146 : Could Not Add Route	Sub Rule	Route Creation Failed	Warning
PIX-X-713211 : Adding Static Route	Sub Rule	Route Created	Information
PIX-X-713213 : Deleting Static Route	Sub Rule	Route Deleted	Information
PIX-X-713214 : Could Not Delete Static Route	Sub Rule	Route Removal Failure	Warning
PIX-X-718016 : Received Hello Response	Sub Rule	General Hello Message	Information
PIX-X-718015 : Received Hello Request	Sub Rule	General Hello Message	Information
PIX-X-718027 : Received Unexpected Keepalive Req	Sub Rule	General Keep-Alive Message	Information
PIX-X-718032 : Received OOS Indicator	Sub Rule	General OOS Message	Information
PIX-X-718031 : Received OOS Obituary	Sub Rule	General OOS Message	Information
PIX-X-718030: Received OOS	Sub Rule	General OOS Message	Information
PIX-X-718039 : Process Dead Peer	Sub Rule	Dead Peer Detected	Information
PIX-X-719002 : Email Proxy Session Pointer Terminated	Sub Rule	Session Terminated Due to Error	Error
PIX-X-719004 : Email Proxy Session Pointer Established	Sub Rule	General Email Proxy Message	Information
PIX-X-719003 : Email Proxy Session Pointer Freed	Sub Rule	General Email Proxy Message	Information
PIX-X-308001 : Console Enable Password Incorrect	Sub Rule	Console Enable Failed	Warning
PIX-X-713184 : Client Type And Version	Sub Rule	General Version Information	Information
PIX-X-606001 : PDM Session Started	Sub Rule	Process/Service Starting	Startup and Shutdown
PIX-X-606004 : PDM Logging Session Terminated	Sub Rule	Process/Service Stopping	Startup and Shutdown
PIX-X-113019 : Session Disconnected - Unknown	Sub Rule	Session Disconnected	Other Audit Success
PIX-X-113019 : Session Disconnected - Preempted	Sub Rule	Session Disconnected	Other Audit Success
PIX-X-113019 : Session Disconnected - Phase 2	Sub Rule	Session Disconnected	Other Audit Success
PIX-X-113019 : Session Disconnected - Reconnected	Sub Rule	Session Disconnected	Other Audit Success
PIX-X-113019 : Session Disconnected - Address Changed	Sub Rule	Session Disconnected	Other Audit Success
PIX-X-113019 : Session Disconnected - Lost Service	Sub Rule	Session Disconnected	Other Audit Success
PIX-X-113019 : Session Disconnected - Admin Reset	Sub Rule	Session Disconnected	Other Audit Success
PIX-X-113019 : Session Disconnected - User Request	Sub Rule	Session Disconnected	Other Audit Success
PIX-X-199001 : Reload Command Executed	Sub Rule	Command Executed	Access Success
PIX-X-113019 : Session Disconnected - Idle Timeout	Sub Rule	Connection Timed Out	Network Traffic
PIX-X-304001 : URL Access	Sub Rule	Object Accessed	Access Success
PIX-X-713228 : Private IP Assigned to Remote User	Sub Rule	Private IP Assigned to Remote User	Network Traffic
PIX-X-737006 : Pool Request Succeeded for Group	Sub Rule	Pool Request Succeeded for Group	Other Audit Success
PIX-X-737007 : Pool Request Failed for Group	Sub Rule	Pool Request Failed for Group	Warning
PIX-X-737016 : Local Pool Address Freed	Sub Rule	Local Pool Address Freed	Information
PIX-X-737026 : IP Address Assigned to Client	Sub Rule	IP Address Assigned to Client	Network Traffic
ASA-6-713172 : NAT Autodetect Status	Sub Rule	General Warning Log Message	Warning
PIX-X-611307 : Head End	Sub Rule	User Logon	Authentication Success
PIX-X-309002 : Permitted Manager Connection	Sub Rule	User Logon	Authentication Success
PIX-X-307002 : Permitted Telnet Login	Sub Rule	User Logon	Authentication Success
PIX-X-111006 : Console Login	Sub Rule	User Logon	Authentication Success
PIX-X-611309 : Disconnecting from Head End	Sub Rule	User Logoff	Authentication Success
PIX-X-214001 : Terminating Manager Session	Sub Rule	User Logoff	Authentication Success
PIX-X-611318 : User Authentication Enabled	Sub Rule	Authentication Activity	Authentication Success
PIX-X-611310: Xauth Succeeded	Sub Rule	Authentication Activity	Authentication Success
PIX-X-611311 : Xauth Failed	Sub Rule	User Logon Failure	Authentication Failure
PIX-X-309001 : Denied Manager Connection	Sub Rule	User Logon Failure	Authentication Failure
PIX-X-307003 : Telnet Login Failed	Sub Rule	User Logon Failure	Authentication Failure
PIX-X-307001 : Denied Telnet Login	Sub Rule	User Logon Failure	Authentication Failure
PIX-X-409003 : Invalid Packet	Sub Rule	Protocol Anomaly	Attack
PIX-X-111005 : End Configuration	Sub Rule	Configuration Modified : Network Access	Configuration
PIX-X-111004 : End Configuration	Sub Rule	Configuration Modified : Network Access	Configuration
PIX-X-111001 : Begin Configuration	Sub Rule	Configuration Enabled : Network Access	Configuration
PIX-X-111002 : Begin Configuration	Sub Rule	Configuration Loaded : Network Access	Configuration
PIX-X-111003 : Erase Configuration	Sub Rule	Configuration Deleted : Network Access	Configuration
PIX-3-610002 : NTP Packet Failed Authentication	Sub Rule	Suspicious Activity	Suspicious
PIX-X-107002 : RIP Packet Failed	Sub Rule	Suspicious Activity	Suspicious
ASA-5-713201 - Duplicate Packet Detected	Sub Rule	Duplicate Packet	Error
PIX-X-610001 : NTP Packet Denied	Sub Rule	Traffic Denied by Network Firewall	Network Deny
PIX-X-605001 : HTTP Connection Denied	Sub Rule	Traffic Denied by Network Firewall	Network Deny
PIX-X-407001 : Deny Traffic	Sub Rule	Traffic Denied by Network Firewall	Network Deny
PIX-X-315001 : Denied SSH Session	Sub Rule	Traffic Denied by Network Firewall	Network Deny
PIX-X-313001 : Denied ICMP	Sub Rule	Traffic Denied by Network Firewall	Network Deny
LU Create Static XLate Failed	Sub Rule	Traffic Denied by Network Firewall	Network Deny
ASA-4-313001 : Denied ICMP Packet	Sub Rule	Traffic Denied by Network Firewall	Network Deny
Pattern 4 : PIX Traffic	Base Rule	Network Traffic	Network Traffic

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type
N/A	<vmid>	Number
N/A	<severity>	Number
N/A	<sip>	Number
N/A	<dip>	Number
N/A	<sport>	Number
N/A	<sinterface>	Text/String
N/A	<login>	Text/String
N/A	<protname>	Text/String
N/A	<object>	Text/String
N/A	<group>	Text/String
N/A	<command>	Text/String
N/A	<reason>	Text/String
N/A	<duration>	Number
N/A	<bytesin>	Number
N/A	<bytesout>	Number
N/A	<tag1>	Text/String